Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

We left 2015 talking about exponential increases in ransomware attempts on a quarter over quarter basis. No surprise that we begin 2016 talking ransomware and its many variants, as this threat vector has been a financial bonanza for cyber criminals and cyber attackers having extorted tens of millions of dollars over the past 18 months from victims.

Though originally founded upon a version of ransomware called CyptoLocker 3.0, other variants have surfaced and have been nearly as successful – a spin-off called CryptoWall generated over $300 million for one criminal gang.

What is ransomware? In general, it is a scam by which a very clever attacker sends you a very crafty socially engineered spearphishing email (with information gained from your social media accounts) that when the attachment is opened scrambles your computer files until you pay the attacker a “ransom,” which is very likely a relatively small amount of untraceable bitcoin.

It is somewhat ironic that not unlike various known computer operating systems, ransomware has now become available in different versions. CyptoLocker 3.0 has now given way to CryptoLocker 4.0, which has “added features.” “Ransomware as a Service” is also available on the DarkWeb for Sale, as are ransomware “joint ventures” for a price. Ugh!

Now I am not the best technical savvy cyber person in the universe, and I don’t have the secret decryption key to help those affected/infected by ransomware in every case. I am a cyber corporate governance person trying to help large and small corporations, private equity, and hedge funds deal with an increasing complex cyber threat and cyber regulatory environment.

Rather, I try and use common sense processes and procedures to help provide our clients with information about current threat actors and threat vectors, so that they (1) can stay safe, and (2) if they have a cyber problem be able to deal with it proactively to protect their businesses, clients and customers.

One of the solutions to the ongoing problem of ransomware is using the NIST cybersecurity framework proactively. What do I mean by that?

The NIST Cybersecurity Framework (“the Framework”) came out in February 2014 as a common sense method for allowing critical infrastructure to proactively assess their current cybersecurity posture and through continuous monitoring improve their posture accordingly.

The Framework’s elegant simplicity is what makes it such a great defense against ransomware. Three of its core elements are right on point:

1. IDENTIFY YOUR MOST CRITICAL ASSETS, WHERE THEY RESIDE, AND HOW YOU VALUE THEM

Do you know how many organizations don’t know where all their stuff is? When I mean “stuff,” I mean critical, super important stuff, like customer information, critical intellectual property, investment-related information, merger and acquisition-related information, critical manufacturing plans, and other personally identifiable or miscellaneous information (e.g. maybe data regarding their core sales drivers).

Once that task is complete, companies then need to map that data to a location, i.e. is it stored locally in the network server room, or is it in a cloud environment? You have to start somewhere with information management governance. Finding out where your stuff is a good start.

2. PROTECT WHICH MATTERS MOST

Ok then, your business is that of a regulated investment advisor. Your business sells the most delicious French toast ever made (using a recipe thought up by your wife), and it’s made and distributed through a plant in New Jersey that is run by both your IT network and by various industrial control devices or SCADA systems contained throughout your factory. The factory is your lifeblood.

If it isn’t running, you can’t make the French toast, and trucks can’t deliver it to food stores around the NY tristate area. And if it can’t get to food stores, your business is toast. So clearly you have three separate sources of critical information (“your crown jewels”) that need protecting – your basic IT network, your industrial control systems in your plant, and your client lists of the various food stores where you sell your French toast.

How are you protecting this data? Really think about the question in detail:

Do you have next generation firewalls to catch bad code before it enters your network and ICS devices and encrypts your files?

Do you patch your AV software as required to stay fully up to date on variants of ransomware? How quickly to patch “critical updates?” ASAP or whenever?

Do you conduct quarterly anti-spearphishing training for your employees so they don’t feel compelled to “click on every link”?

Do you have a DMARC or other email hardware/filter that will catch or sandbox suspicious socially-engineered or spoofed email before it encrypts your files?

Have you recently tested or “red-teamed” your ICS or SCADA systems to see if they can be (1) hacked, or (2) need to be patched, or (3) are otherwise subject to encryption coded commands that will shut your factory down

So your employee clicks on a link from the King of Arabia looking for his King’s Ransom, and your business gets “ransomwared” instead. The Recovery element of the NIST recommends the following: have processes and procedures in place to have your files backed up on a regular basis, stored off-site, tested periodically, and ready to employ on little to no notice if your files get encrypted, and you need to restore your network from the last available moment before the ransomware went live.

In enterprise risk management language, this is called “business continuity planning” or resiliency. In reality, this is called common sense. Understand that you will be hacked. And be ready to react at a moment’s notice.

There are so many variants of ransomware to which neither the NIST framework nor this article can do adequate justice. But using the Framework as a basis to re-evaluate your ransomware defenses is a perfect solution to a moving-target problem that calls not just for one solution or many solutions.

As we start 2016, and as the Framework approaches its second birthday, we are again urging client’s to use its core precepts to re-evaluate their defenses against all threat vectors. There is ghostware, stealthware, and other silent vectors to strike. Use the Framework as your “Seal Team Six” to fight back.